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Defective images within this document are accurate representations o 
the origmal documents submitted by the apphcant. 

Defects in the images may inckide (but are not hnuted to): 



• BLACK BORDERS 

• TEXT CUT OFF AT TOP, BOTTOM OR Sn^ES 

• FADED TEXT 
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• GRAY SCALE DOCUMENTS 



IMAGES ARE BEST AVAILABLE COPY. 

As rescanning documents will not corr ect images, 
please do not report the images to the 
Image Problem Mailbox. 
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1 Interpretation 

[ 


Instructions ser 


Probe for 
translated co4 


. I/O memory 
reference 
exceptions ^ 


00 


Tap 


Tap 


no 


Native code observing native 
RISCy calling conventions 


Native 
decoder 


No 


No 


Fault 
if SEG.tio 


01 


Tap 


x86 


no 


Native code observing x86 
calling conventions 


Native 
decoder 


No 


No 


Fault 
if SEG.tio 


10 


x86 


x86 


no 


x86 code, unprotected - 
TAXI profile collection only 


x86HW 
converter 


If enabled 


No 


Trap 
if profiling 


11 


x86 


x86 ' 


yes 


x86 code, protected - 
TAX! code may be available 


x86HW 
converter 


If enabled 


Based on I- 
TLB probe 
attributes 


Trap 
if profiling 




ia4 



^\ 2 / 2.3- ' Significance of the I-TLB property bits 







ISA & CC property values 


Handler Action 


5 - : 

: s T) 




00=>00 


No transition exception 






00 =>01 


VECT_xxx_X86_CC exception - handler converts from native to x86 conventions 






00 => Ix 


VECT„xxx_X86_CC exception - handler converts from native to x86 conventions, 








sets up expected emulator and profiling state 






01 => 00 


VECT_xxx_TAP_CC exception - handler converts from x86 to native conventions 


pi 




01 =>01 


No transition exception 






01 => Ix 


VECT_X86_ISA exception [conditional based on PCW.X86_ISA_ENABLE flag] 
- sets up expected emulator and profiling state 






lx=> 00 


VECT_xxx_TAP_CC exception - handler converts from x86 to native conventions 






lx=>01 


VECT_TAP_ISA exception [conditional based PCW.TAPJS A_ENABLE flag] 
- no convention conversion necessary 






lx=> 10 


No u-ansition exception - [profile complete possible, probe possible] 




lx=>ll 1 


No U-ansition excepuon - [profile complete possible, probe NOT possible] 



ISA & CC transition exception flow 



'J 





name 


description * 


type 




VECT_call_X86_CC 


push args, return address, set up x86 state 


fault on target instruction 




VECTJump_X86_CC 


set up x86 state 


fault on target instruction 




* VECT_ret_no_fp_X86_CC 


return value to eaxredx, set up x86 state 


fault on target instruction 




VECT_ret_fp_X86_CC 


return value to x86 fp stack, set up x86 state 


fault on target instruction 




VECT_calLTAP_CC 


x86 stack args, return address to registers 


fault on target instruction 




VECTJump_TAP.CC 


x86 stack args to registers 


fault on target instruction 




VECT_ret_no_fp_TAP_CC 


return value to RVO 


fault on target instruction 


ZSt2- 


VECT_ret_any_TAP_CC 


return type unknown, setup RVO and RVDP 


fault on target instruction 




Flat 32-bit "Near" Address Space 



RISC —I 
3os 



384 



x86 - 

3^ 



x86 




% x86 RISC transition: 
\ map x86 call to RISC 

32-2- Cf=■^^•3^^) 



RISC ^ x86 transition: 
map x86 return.to RISC 



no ISA transition: 
no mapping required 
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Flat 32-bit "Near" Address Space 



x86? RISC? 



Transparency: 

. x86 cx5de adheres to traditional 

x86 stack-based conventions 
. RISC uses higher performance 

register-based conventions 
. Caller has no knowledge 

of caiiee's ISA 
. Callee has no knowledge 

of ISA to which it will return 




Flat 32-bit "Near" Address Space 





RISC-> x86 transition: 
map RISC call to x86 



x86^ RISC transition: 
map RISC return to x86 



no ISA transition: 
no mapping required 
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Flat 32-bit "Near" Address Space 



x86 




ill 



^x86-> RISC transition: 
^map RISC return to x86 



RISC x86 transition: 
map RISC call to x86 



no ISA transition: 
no mapping required 
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y 

ry 



Flat 32-bit "Near" Address Space 




RISC -» x86 transition: 
map x86 return to RISC 



x86-» RISC transition: 
map x86 call to RISC 

B2Z 3W^ 



no ISA transition: 
no mapping required 



F.3 . 3f 
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I 

x86 Preamble: 
(need not be inline) 

- Load register args 

- Fill-in RXA (return transfer argument area) 



General_Entry: 



YES 



3\7 



XD == 0? 



Native Entry: - 

NativeVreamble: 
(typically vacuous) 



NO 



3vS 



Varargs 

AP for a very big argument list 



^! omit if I 





Function Body: 






setupXD: 

XD <r- <descriptor_constant> 






RET 





X86-to-Tapestry transition exception handler ^ 3Z^o 

II This handler is entered under the following conditions: 
II I. An x86 caller invokes a native function 
// 2. An x86 function returns to a native caller 

// 3. x86 software returns to or resumes an interrupted native function following 
// an external asynchronous interrupt, a processor exception, or a context switch 

dispatch on the two least-significant bits of the destination address { 
case "00" // calling a native subprogram 

// copy linkage and stack frame information and call parameters from the memory 

// stack to the analogous Tapestry registers 

LR <- [SP++] // set up linkage register - — SZ-'S \ ^22. 

AP <- SP // address of first argument - — 3Z4 

SP <- SP - 8 // allocate return transfer argument area ~- 32.^ 

SP ^ SP & (-32) // round the stack pointer down to a 0 mode 32 boundary 1Z7 
XD <- 0 // inform callee that caller uses X86 calling conventions ^ 328 . 

p case "01" // resuming an X86 thread suspended during execution of a native routine " 

^ if the redundant copies of the save slot number in EAX and EDX do not match or if "2 37 # 
y the redundant copies of the timestamp in EBX:ECX and ESLEDI do not match { j 

fu II some form of bug or thread corruption has been detected 

flj goto TAPESTRY_CRASH_S YSTEM( thread-corruption-error-code ) ^'^l'^ 

t } 

4- save the EBX:ECX timestamp in a 64-bit exception handler temporary register "7 ^ u V 37^ 

W (this will not be ovenvritten during restoration of the fiill native context) ^ ^ ^ 

use save slot number in EAX to locate actual save slot storage — 37 
O restore full entire native context (includes new values for all x86 registers) — 375 
^ \ if save slot's timestamp does not match the saved timestamp { 37 C» 

// save slot as been reallocated; save slot exhaustion has been detected 
^ goto TAPESTRY_CRASH_S YSTEM( save-slot-overwritten-error-code ) 37 7 

free the save slot -^376 J 

case "10" // returning from X86 callee to native caller, result already in registers 

RV0<63 :32> <r- edx<3 1 :00> // in case result is 64 bits ~ 3* 3 I 332. 

convert the FP top-of-stack value from 80 bit X86 form to 64-bit form in RVDP j 

SP<-ESI // restore SP from time of call ^33? J 

case "11" // returning from X86 callee to native caller, load large result from memory O 

RV0..RV3 <- load 32 bytes from [ESI-32] // (guaranteed naturally aligned) ■S3o t 123 
^ SP<-;ESI // restore SP from time of call — fbl J 

EPC <- EPC & -4 // reset the two low^-order bits to zero 'i'i't 



Fig. 3h 
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Tapestry-to-X86 transition exception handler 

// This handler is entered under the following conditions: 
// 1. a native caller invokes an x86 fUnction 
// 2. a native function returns to an x86 caller 
switch on XD<3:0> { 3*t-'L 

XD_RET_FP : // result type is floating point 

FO/Fl <- FINFLATE.de( RVDP ) // X86 FP results are 80 bits 
SP <r- from RXA save // discard RXA, pad, args 

FPCW <- image after FINIT & push // FP stack has 1 entry 
goto EXIT 



XD_RET_WRITEBACK: // store result to @RVA, leave RVA in eax 

RVA <- from RXA save // address of result area 
copy decode(XD<8:4>) bytes from RV0..RV3 to [RVA] 

eax <- RVA // X86 expects RVA in eax 

SP <- from RXA save // discard RXA, pad, args 
FPCW <- image after FINIT // FP stack is empty 

goto EXIT 



34-2. 



XD_RET_SCALAR: // result in eax:eda 

edx<3 1 :00> <- eax<63 :32> //in case resuh is 64 bits 

SP <r- from RXA save // discard RXA, pad, args 

FPCW <r- image after FINIT // FP stack is empty 

goto EXIT 



XD_CALL_HIDDEN_TEMP: // allocate 32 byte aligned hidden temp 

esi <- SP // stack cut back on return 3*^*5 

SP <-r SP - 32 // allocate max size temp ~) -44 

RVA<-SP // RVA consumed later by RR 3 

LR<1 :0> <- "11" // flag address for return & reload — 3*VS 

goto CALL_COMMON 



// remaining XD_CALL_xxx encodings 
// stack cut back on return ^ 
// flag address for return ^ 



default: 

esi <- SP 
LR<1:0><-"10" 
CALL_COMMON: 

interpret XD to push and/or reposition args 

[~SP] <- LR // push LR as return address 

EXIT: 

setup emulator context and profiling ring buffer pointer 
^ RFE 3*V9 // to original target 



] 



Fig. 3i 
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interrupt/exception handler of Tapestry operating system: ^ 

// Control vectors here when a synchronous exception or asynchronous interrupt is to be 
// exported to / manifested in an x86 machine. 

// The interrupt is directed to something within the virtual X86, and thus there is a possibility 
// that the X86 operating system will context switch. So we need to distinguish two cases: 
// either the running process has only X86 state that is relevant to save, or 
// there is extended state that must be saved and associated with the current machine context 
// (e.g., extended state in a Tapestry library call in behalf of a process managed by X86 OS) 
if execution was interrupted in the converter - EPC.IS A = X86 { ^ 

// no dependence on extended/native state possible hence no need to save any r 3Sl. 

goto EM86_Deliver_Interrupt( interrupt-byte ) J 
} else ifEPC.Taxi_Active { 



5.3 



// A Taxi translated version of some X86 code was running. Taxi will rollback to an ) 
// x86 instruction boundary. Then, if the rollback was induced by an asynchronous external V 35 
// interrupt Taxi will deliver the appropriate x86 interrupt. Else, the rollback was induced 
// by a synchronous event so Taxi will resume execution in the converter, retriggering the 
// exception but this time will EPC.ISA = X86 
goto TAXi_Rollback( asynchronous-flag, interrupt-byte ) 
S| else if EPC.EM86 { 

m II The emulator has been interrupted. In theory the emulator is coded to allow for such C ^^,4 
^ // conditions and permits re-entry during long running routines (e.g. far call through a gate) 
£ // to deliver external interrupts 
yj goto EM86_Deliver_Interrupt( interrupt-byte ) 

"} else { ^ 
□ // This is the most difficult case - the machine was executing native Tapestry code on 
y1 // behalf of an X86 thread. The X86 operating system may context switch. We must save 
id // all native state and be able to locate it again when the x86 thread is resumed 
1 ^ 3€> l . 

m allocate a free save slot; if unavailable free the save slot with oldest timestamp and try again V 
save the entire native state (both the X86 and the extended state) 7 -a^ 
save the X86 EEP in the save slot 3 
overwrite the two low-order bits of EPC with "01" (will become X86 interrupt EIP) ^ 3^3 
store the 64-bit timestamp in the save slot, in the X86 EBX:ECX register pair (and, 7 
for further security, store a redundant copy in the X86 ESI:EDI register pair) O 
store the a number of the allocated save slot in the X86 EAX register (and, again for 7 e 
further security, store a redundant copy in the X86 EDX register) ? 3fe»=> 

goto EM86_Deliver_Interrupt( interrupt-byte ) '->^ -^^^ ^ 



350 Fig, 3j 
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typedcf stnict { 
save_slot_t * 
save_slot_t * 
unsigned int64 
unsigned int64 
unsigned int64 

timestamp_t 
int 

boolean 
} save_slot_t; 



newer; // pointer to next-most-recently-allocated save slot 7 -7^) 

older; // pointer to next-older save slot _5 

epc; // saved exception PC/IP 

pew; // saved exception PCW (program control word) L 35^ 

registers[63]; // save the 63 writeable general registers 

// other words of Tapestry context 
timestamp; // timestamp to detect buffer overrun 
save_slot_ID; // ID number of the save slot ~ 3^7 
save_slot_is_full; // full / empty flag 




save_slotJ * save_slot_head; // pointer to the head of the queue 3*7^ a 

save_slot_t * save_slot_tail; // pointer to the tail of the queue ^ '3>'7S> b 



Isystem initialization 

ry reserve several pages of unpaged memory for save slots 



Fig, 3k 
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32 -bit "Near" Address ^5ace 



3- 




Prepare x86 excep. or int. -| 

. Alloc free or oldest save slot 
. Store timestamp & full state 
. x86 regs <- save slot ID, TS 
.EPC<1:0><-01 




i 

k' I 
>i 

I 

I 
1 



- Handler: RISCtox86 -- 

XD contains return-descriptor: 



. Interpret XD: 342 

- Reformat / repostion result 

- Load FPCW 

. SP <- [SP] // pop RA & argsj^' 
XD contains call-descriptor: 



I < 



l| 
/ I 



ESI <- SP 



\ ^ 
\ 

\ 

\ 



- Handler: x86 to RISC — 

EPC<1:0> = 00: 322 



. LR <- [SP] 
. SP <- SP + 4 
. AP <- SP 

. SP<- SP-8 //ret area 
. SP <- SP & (-32) 
.XDj^O 

"e'pC<1:0> = 01: 12? 



. x86 regs points to save slot 
. Using TS verily no overwrite 
. Restore full state 
. Free save slot 

^ffPfliP^Ji °° ^' 

EPC<1:0> = 1x: ^ ^ 



Reformat / repostion the 



Interpret XD, reposition args j» • - 5| function result per EPC<0> 
. LR<1:0><- IxperXD 
. Push LR as RA (ret addr) i^ - 



SP <- ESI 
EPC<1:0>«<- 



00 



R3. 3L 



Flat 32-bit "Near" Address Space 
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Flat 32-bit "Near" Address Space 




Initiate x86 excep. or int. -| 

. Alloc free or oldest save sloi 
. Store timestamp & full state 
. x86 regs^ save slot ID, TS 
. EPC<1:0><- 01 




^1 



Handler: x86 to RISC 




EPC<1:0> = 01: 
. x86 regs points to save slot 
. Using TS verify no overwrite 
. Restore full state 
. Free save slot 
. EPC<1:0>f- 00 
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Flat 32-bit "Near" Address Space 
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page frame Z 



-ret 



->9 




7 entry trace packet 



Entry 


Event Code 


Done Addr 


1 Next Addr 




64bittimesiamD 


1 


ret 


x86 context 


physX:f 


2 


new oaae 


physY:s 


physY:h 


3 


ice forward 


vhvs Y:i 


phys Y:k 


4 


jnz backward 


phvsY:l 


physX:a 


5 


seq; env chanae 


x86 context 


physX:b 


6 


ip-rel near call 


physX:c 


physZ:d 


7 


near ret 


physZ:e 


physXf 





-430 



. ol 
>5 



1 Source | 


Code 


Event 


Reuse event code 


Proflleable event | 


Initiate packet 


Probeable event 


Probe event bit - 
ITLB probe attribute 
or 

Emulator probe 




0.0000 


Default (x86 transparent) event, reuse all converter values 


yes 












0.0001 


Simple x86 instruction completion (reuse event code) 


yes 




AO 








0.0010 . 


Probe exception failed 


yes 










0.0011 


Probe exception failed, reload probe timer 


yes 












0.0100 




no 


no 


no 


no 




a 


0.0101 


Sequential: execution environment changed - -f oroe. e.^^ev<4" 


no 


yes 


no 


no 




1 

o 


0.0110 


Far RET 


no 


yes 


yes 


no 






0.0111 


IRET 


no 


yes 


no 


no 






0.1000 


FarCALL 


no 


yes 


yes 


yes 


Farcall 


1 


0.1001 


FarJMP 


no 


yes 


yes 


no 




0 

>■.✓ 


0.1010 


Special; emulator execution, supply extra instruction data" 


no 


yes 


no 


no 






0.1011 


Abort profile collection 


no 


no 


no 


no 






0.1100 


x86 synchronous/asynchronous interrupt w/probe (GRP 0) 


no 


yes 


yes 


yes 


Emulator probe 




0.1101 


x86 synchronous/asynchronous interrupt (GRP 0) 


no 


yes 


yes 


no 






0.1110 


x86 synchronous/asynchronous interrupt w/probe (GRP 1) 


no 


yes 


yes 


yes 


Emulator probe 




0.1111 


x86 synchronous/asynchronous interrupt (GRP 1) 


no 


yes 


yes 


no 






1.0000 


IP-relative JNZ forward (opcode: 75, OF 85) 


no 


yes 


yes 


no 






1.0001 


IP-rdative JNZ backward (opcode: 75, OF 85) 


no 


yes 


yes 


yes 


Jnz 




1.0010 


IP-rdative conditional jump forward - (Jcc, Jcxz, loop) 


no 


yes 


yes 


no 






1.0011 


IP-relativc conditional jump backward - (Jcc. Jcxz, loop) 


no 


yes 


yes 


yes 


Cond jump 




1.0100 


IP-relativc, near JMP forward (opcode: E9. EB) 


no 


yes 


yes 


no 




a 

01 


1.0101 


IP-rclativc, near JMP backward (opcode: E9, EB) 


no 


yes 


yes 


yes 


Near jump 


«> 
M 


1.0110 


RET/ RET inunl6 (opcode C3, C2 /w) 


no 


yes 


yes 


no 




5 


1.0111 


IP-relativc. near CALL (opcode: E8) 


no 


yes 


yes 


yes 


Near call 


1.1000 


REPE/REPNE CMPS/SCAS (opcode: A6, A7. AE, AF) 


no 


yes 


no 


no 






1.1001 


REP MOVS/STOS/LDOS (opcode: A4, A5, AA. AB, AC, AD) 


no 


yes 


no 


no 




i 


1.1010 


Indirect near JMP (opcode: FF /4) 


no 


yes 


yes 


no 




o 


1.1011 


Indirect near CALL (opcode: FF /2) 


no 


yes 


yes 


yes 


Near call 




1.1100 


load from I/O memory (TLB.asi != 0) { not used in Tl ] 


no 


yes 


no 


no 






1.1101 






V\o 


no 


no 






1.1110 


Default converter event; sequential *(Ofe 


no 


no 


no 


no 






1.1111 


New page (instruction ends on last byte of a page frame or 
straddles across a page frame boundary) 


no 


yes 


no 


no 





a. Used by emulator for new x86 opcodes. Extra information supplied in TaxijControlspecial_opcode bits. 
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or mapping of converter's x86 opcode r^rc pi^vi 



45 



^ . . ' ^ J Use lat ched 

Event Code Latch <3 — rfE event code 




Clear Taxi_St^ e.pact 



Probe failed RFE 
► 

Prob e timer rejo ad 

■ ^ 



'5 



6^24 



Next (v/s target) 
page properties 
from l-TLB 



ni 



If 

o 

3 

E 

UJ 



Table 3 
Event Code _ 
PLA ^5 

a. , 



v9 = vi E v5 E 



o 

i 
( 

Nl 
C 



Next instruction cycie 



Initiate Packet ^15 
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As each event occurs during execution of an X86 program in converter 136 or 
emulator 316, materialize an event code in event code latch 486, 487 
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PLA 650 processes the event code to produce at most one of five classifications 
of the event, "jnz" 660, "conditional jump" 661, "near jump" 662, "near call" 
663, "far call" 664, or "emulator probe" 665 ^ J 



The bit 660-665 is ANDed v^th the probe page properties 624 fi-om TLB 116 
and Taxi State.Probe Mask 620 




TJk together the products of the ANDs. The sum ot the OR represents the 
predicate "the event code 592 is an event on a page whose probeable event bit is 
currently enabled in Taxi_State.Probe_Mask 620 and the TLB copy of the 
PFAT page properties ." ^ 



AND the sum of the OR together vnth several machine context predicates to see 
if this is a probeable event 




it; 



Consult the bit vecFor to verify that the probeable event is in an address range 7 ^ 

with a corresponding translated code segment ^ A 





Execute a TAXi instruction to materialize a Context_Ar_Point entry descnbrngH 
the current machine state, to supply arguments to the probe exception handler \ 



^ Deliver a probe exception to transfer control to the software exceprio^^ 



Probe PIPM 602 for an entry 640 corresponding to the address of thetarget of ^ 

the eve nt ) 

~~ " ^ 



was a PIPM entry found? 



Evaluate/verify the preconditions from integer portion 686 of PIPM 602 entry ( 
640 — ^ 



Evaluate/verify the preconditions from floating-point portion 688 of PIPM 602 
entry 640, and if mismatching, unload floating-point context and reload it to 
confomLtQ,£IPM , _ 



Transfer control to the TAXi translated native code 
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Fig. 6c 



